수입 신고서를 위장하여 국내 연구 기관을 노리는 Kimsuky
2023-11-21 • Ahnlab • Kimsuky targets domestic research institutes by disguising import declarations. •
ASEC reported Kimsuky distributing a malicious JSE dropper disguised as an import declaration to South Korean research institutes. The dropper contains obfuscated PowerShell, a Base64-encoded backdoor, and a benign PDF with target information, then writes a backdoor under ProgramData and executes it with rundll32.exe. The malware copies itself as IconCache.db for scheduled-task persistence, collects antivirus, network, host, user, and OS data, encodes command output for C2, and supports command execution and uploads to rscnode.dothome.co.kr.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | d6abeeb469e2417bbcd3c122c06ba099 | 2023-11-21 | 2024-03-05 |
| HASH | d2335df6d17fc7c2a5d0583423e39ff8 | 2023-11-21 | 2023-11-30 |
| URL | http://rscnode.dothome.co.kr/in… | 2023-11-21 | 2023-11-30 |
| URL | http://rscnode.dothome.co.kr/up… | 2023-11-21 | 2023-11-30 |
| DOMAIN | rscnode.dothome.co.kr | 2023-11-21 | 2023-11-30 |
Related Actors
Related Reports
2023-11-30 •
100% Match
#Kimsuky
Shares tag: Kimsuky • Shares 5 IOCs • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a week